kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'develop' into attestation_store

Browse Source
This commit is contained in:
Julien Cretin
2022-07-14 12:37:11 +02:00
parent f528567ce1 4736cc63c4
commit b28f8f6d33
4 changed files with 517 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/ctap/mod.rs
View File

@@ -16,6 +16,7 @@ pub mod apdu;
mod client_pin;
pub mod command;
mod config_command;
mod credential_id;
mod credential_management;
mod crypto_wrapper;
#[cfg(feature = "with_ctap1")]
@@ -40,10 +41,11 @@ use self::command::{
AuthenticatorVendorConfigureParameters, AuthenticatorVendorUpgradeParameters, Command,
};
use self::config_command::process_config;
use self::credential_management::process_credential_management;
use self::crypto_wrapper::{
decrypt_credential_source, encrypt_key_handle, PrivateKey, MAX_CREDENTIAL_ID_SIZE,
use self::credential_id::{
decrypt_credential_id, encrypt_to_credential_id, MAX_CREDENTIAL_ID_SIZE,
};
use self::credential_management::process_credential_management;
use self::crypto_wrapper::PrivateKey;
use self::data_formats::{
AuthenticatorTransport, CoseKey, CoseSignature, CredentialProtectionPolicy,
EnterpriseAttestationMode, GetAssertionExtensions, PackedAttestationStatement,
@@ -808,7 +810,7 @@ impl CtapState {
if let Some(exclude_list) = exclude_list {
for cred_desc in exclude_list {
if storage::find_credential(env, &rp_id, &cred_desc.key_id, !has_uv)?.is_some()
|| decrypt_credential_source(env, cred_desc.key_id, &rp_id_hash)?.is_some()
|| decrypt_credential_id(env, cred_desc.key_id, &rp_id_hash, !has_uv)?.is_some()
{
// Perform this check, so bad actors can't brute force exclude_list
// without user interaction.
@@ -882,7 +884,7 @@ impl CtapState {
storage::store_credential(env, credential_source)?;
random_id
} else {
encrypt_key_handle(env, &private_key, &rp_id_hash)?
encrypt_to_credential_id(env, &private_key, &rp_id_hash, cred_protect_policy)?
};
let mut auth_data = self.generate_auth_data(env, &rp_id_hash, flags)?;
@@ -1081,7 +1083,8 @@ impl CtapState {
if credential.is_some() {
return Ok(credential);
}
let credential = decrypt_credential_source(env, allowed_credential.key_id, rp_id_hash)?;
let credential =
decrypt_credential_id(env, allowed_credential.key_id, rp_id_hash, !has_uv)?;
if credential.is_some() {
return Ok(credential);
}
@@ -1487,7 +1490,7 @@ mod test {
AuthenticatorAttestationMaterial, AuthenticatorClientPinParameters,
AuthenticatorCredentialManagementParameters,
};
use super::crypto_wrapper::ECDSA_CREDENTIAL_ID_SIZE;
use super::credential_id::CBOR_CREDENTIAL_ID_SIZE;
use super::data_formats::{
ClientPinSubCommand, CoseKey, CredentialManagementSubCommand, GetAssertionHmacSecretInput,
GetAssertionOptions, MakeCredentialExtensions, MakeCredentialOptions, PinUvAuthProtocol,
@@ -1694,7 +1697,7 @@ mod test {
make_credential_response,
0x41,
&storage::aaguid(&mut env).unwrap(),
ECDSA_CREDENTIAL_ID_SIZE as u8,
CBOR_CREDENTIAL_ID_SIZE as u8,
&[],
);
}
@@ -1821,7 +1824,7 @@ mod test {
make_credential_response,
0xC1,
&storage::aaguid(&mut env).unwrap(),
ECDSA_CREDENTIAL_ID_SIZE as u8,
CBOR_CREDENTIAL_ID_SIZE as u8,
&expected_extension_cbor,
);
}
@@ -2064,7 +2067,7 @@ mod test {
make_credential_response,
0x41,
&storage::aaguid(&mut env).unwrap(),
ECDSA_CREDENTIAL_ID_SIZE as u8,
CBOR_CREDENTIAL_ID_SIZE as u8,
&[],
);
}
@@ -2435,8 +2438,8 @@ mod test {
let auth_data = make_credential_response.auth_data;
let offset = 37 + storage::aaguid(&mut env).unwrap().len();
assert_eq!(auth_data[offset], 0x00);
assert_eq!(auth_data[offset + 1] as usize, ECDSA_CREDENTIAL_ID_SIZE);
auth_data[offset + 2..offset + 2 + ECDSA_CREDENTIAL_ID_SIZE].to_vec()
assert_eq!(auth_data[offset + 1] as usize, CBOR_CREDENTIAL_ID_SIZE);
auth_data[offset + 2..offset + 2 + CBOR_CREDENTIAL_ID_SIZE].to_vec()
}
_ => panic!("Invalid response type"),
};